Department of Health and Human Services (HHS)
Security Categorization: Moderate
System Security Plan
Version 1.0
April 23, 2015
Prepared by
Atausch Paolini
CMIS 412
INTRODUCTION The purpose of the system security plan (SSP) is to provide an overview of federal information system security requirements and describe the controls in place or planned to meet those requirements for the Department of Health and Human Services. Each SSP is developed in accordance with the guidelines contained in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide for Developing Security Plans for Information Technology Systems, and applicable risk mitigation guidance and standards. Through
…show more content…
The analysis of risk assessment controls are an important aspect of a system, as they are used as a basis for identifying and selecting appropriate and cost-effective measures.
1.1.1 RA-1: Risk Assessment Policy and Procedures
Implementation Status: In place.
Implementation of Control: The Department of Health and Human Services has implemented risk assessment policies and procedures such as HIPAA, through its regulatory compliance of OMB Circular A-130, and NIST SP 800-37 Rev.1 standards. They have done so, by establishing, dissementing, and periodically reviewing/updating formal documented risk assessment policy and procedures that address the purpose, scope, roles, responsibilities, and compliance of the organization. Furthermore, the HHS has also followed this control through the development and implementation of policies, “the organizational commitment to information security and the actions required to effectively manage risk and protect the core missions and business functions being carried out by the organization” (DHHS, 2011).
1.1.2 RA-5: Vulnerability Scanning
Implementation Status: In place.
Implementation of Control: In order to meet this risk assessment control, the Department of Health and Human Services uses appropriate vulnerability scanning tools such as those of the Operating Divisions (OPDIVs) which ensure the
The purpose of risk assessment is not to remove risks, but to take reasonable steps to reduce them. The process involves looking at the risk, and considering what can be done to make it less likely that the risk will develop into a reality. This can be done through implementing policies and codes of practice, acting in individual’s best interests, fostering culture of openness and support being consistent, maintaining professional boundaries and following systems for raising concerns.
All Americans require assurance and protection measures to shield their daily lives and healthcare laws, government regulations, and approaches do only that. The United States government manages these requirements with the expectation of enhancing the strength of the general population while building up the tools, alongside resources and programs to associate in the conveyance of medical care services. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) alongside the security law have affected preventive care services and how it is conveyed. HIPAA was intended to guarantee that the suitable systems were actualized to protect patient's data while getting care.
* Risk assessments – Local and governing authorities make compulsory the use of risk assessments. Risk assessments are carried out to evaluate any potential hazards that may
Risk assessments can help address dilemmas between rights and health and safety concerns by helping reduce any risks created by undergoing certain tasks, risks assessments are not in place to prevent an individual doing things that they want to do, they are in place to concentrate on the risk factors and to look at any other ways to reduce the risk of the task in hand.
Healthcare technology has grown and evolved over time. With the conversion to electronic medical records and the creation of social media just to name a few, ensuring patient privacy is of the utmost importance for healthcare facilities in this day and age. In order for an organization to avoid hefty fines, it is imperative that a healthcare administrator maintains compliance with the standards and regulations associated with the Health Insurance Portability and Accountability Act (HIPAA). This paper will provide a summary
To remain in compliance with HIPPA and HITECH, security planning is essential for data backup and recovery. Assessing risks to determine the potential downfalls of any health information system is essential. Once those risks are identified, policies and procedures can be created, as well as implemented and enforced to ensure a safety culture. For examples, an organization will have a policy on the appropriated downtime procedure at their facility. This policy will ensure adequate details on the proper procedures, ensuring staff feel confident. By performing downtime procedures, the organization is staying compliant with regulations and ensuring a safe and easy data backup and recovery plan (Hawkins, 2013).
The purpose of a risk assessment (RA) is to identify the entire organization’s risks and quantify the
3.7. Using a risk assessment to promote health and safety is very important to ensure that the individual is kept safe in the work place. Risk assessments evaluate the risks and identify hazards to put precautions in place to reduce the risks. Reporting and recording the outcome of the risk assessments make things more clear and is careful to keep everybody protected and safe.
Regulation placed upon the healthcare system only seek to improve safety and security of the patients we care for. The enactment of the Health Insurance Portability and Accountability Act (HIPPA) and the enactment of Meaningful Use Act the United States government has set strict regulations on the security of health information and has allotted for stricter penalties for non-compliance. The advancement of electronic health record (EHR) systems has brought greater fluidity and compliance with healthcare but has also brought greater security risk of protected information. In order to ensure compliance with government standards organizations must adapt
Risk assessment is conducted by people who can assess specific work activities, understand real working procedures, hazards-related activities, activity frequency, risk probability and severity (Reference 2).
Risk assessments are used to identify potential harm to an individual or persons. This identifies the possibility of a hazards and helps to reduce the possibility of harm, they are put in place to safeguard individuals. Risk assessments are reviewed and can be added to or changed if necessary
The government has also ensured compliance with HIPAA by implementing the HIPAA audit. The focus on specific controls such topics as policies and procedures to ensure privacy, confidentiality of the PHI of patients and evaluation of the action plans of the violation of security. Other security measures, including background checks of employees, all internal restrictions on the availability of private information and physical security measures to determine if they comply with the guidelines established by the HIPAA
Under the HIPAA Security Rule, health care providers are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities. Protecting the confidentiality, integrity, availability, and privacy of data in health care is very important. For a risk analysis, health care providers would prioritize risks based on the severity of the impact that it would cause their patients and practices (Security Risk Analysis TipSheet, 2014). In addition, identifying the potential threats to patient privacy and security (Security Risk Analysis TipSheet, 2014). A risk analysis process would include determining the likelihood and impact of potential risk to electronic protected health information, implementing security measures to
Ten years ago after much challenges and questionable skepticism, the HIPAA policy became effective and has been shaping healthcare one regulatory policy at a time. The evolution of the HIPAA privacy act helped establish the HIPAA Security Rule which was published in 2003 and became effective in 2005, and then eventually led to the HIPAA Enforcement Rules and the Breach Notification Rule. With it joint fortification of the 2009 HITECH Act and HIPAA’s modifications to regulations, it was released in January 2013 to the industry (American Health Information Management Association, 2013).
The NYC Health Department of health and mental hygiene, serves at New York City and covers all the five boroughs which are Manhattan, Staten Island, Brooklyn, Queens, Bronx. It is located at an urban center. This department functions about 8 million diverse populations with different cultural, ethnic and economic background. The major industries in NYC are Financial services, Health Care, Technical Services, Retail Trade and Food service, Manufacturing. The characteristics of this urban center is that it’s an international city with mixed groups of cross culture. This city has people from different backgrounds and is known as an immigrant land with broad-based. Also, New York City is known as the wealthiest city with growing job opportunities in all different fields. (New York City Population)